Cisco Cisco Web Security Appliance S160 Guía Del Usuario
20-35
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 20 Authentication
NTLM Authentication
NTLM Authentication
The NT Lan Manager (NTLM) authenticates users with an encrypted challenge-response sequence that
occurs between the appliance and a Microsoft Windows domain controller. The NTLM
challenge-response handshake occurs when a web browser attempts to connect to the appliance and
before data is delivered.
occurs between the appliance and a Microsoft Windows domain controller. The NTLM
challenge-response handshake occurs when a web browser attempts to connect to the appliance and
before data is delivered.
When you configure an NTLM authentication realm, you do not specify the authentication scheme.
Instead, you choose the scheme at the Access Policy group level when you configure the policy member
definition. This allows you to choose different schemes for different policy groups. When you create or
edit the policy group, you can choose one of the following schemes:
Instead, you choose the scheme at the Access Policy group level when you configure the policy member
definition. This allows you to choose different schemes for different policy groups. When you create or
edit the policy group, you can choose one of the following schemes:
•
Use NTLMSSP
•
Use Basic or NTLMSSP
•
Use Basic
Note
AsyncOS for Web only supports 7-bit ASCII characters for passwords when using the Basic
authentication scheme. Basic authentication fails when the password contains characters that are not
7-bit ASCII.
authentication scheme. Basic authentication fails when the password contains characters that are not
7-bit ASCII.
Working with Multiple Active Directory Domains
AsyncOS allows you to create only one NTLM authentication realm. If your organization has multiple
Active Directory domains, you can authenticate users in all domains if the following conditions exist:
Active Directory domains, you can authenticate users in all domains if the following conditions exist:
Attribute that Contains
the Group Name
the Group Name
When the group membership attribute is a DN, this specifies the attribute that
can be used as group name in policy group configurations.
can be used as group name in policy group configurations.
Choose one of the following values:
•
cn. A unique identifier in the LDAP directory that specifies the name of
a group.
a group.
•
custom. A custom identifier such as
FinanceGroup
.
Query String to
Determine if Object is
a Group
Determine if Object is
a Group
Choose an LDAP search filter that determines if an LDAP object represents a
user group.
user group.
Choose one of the following values:
•
objectclass=groupofnames
•
objectclass=groupofuniquenames
•
objectclass=group
•
custom. A custom filter such as
objectclass=person
.
Note: The query defines the set of authentication groups which can be used
in Web Security Manager policies.
in Web Security Manager policies.
Table 20-14
LDAP Group Authorization—User Object Settings (continued)
User Object Setting
Description